This Metasploit module exploits a stack overflow in the FutureSoft TFTP Server 2000 product. By sending an overly long transfer-mode string, we were able to overwrite both the SEH and the saved EIP. A subsequent write-exception that will occur allows the transferring of execution to our shellcode via the overwritten SEH. This Metasploit module has been tested against Windows 2000 Professional and for some reason does not seem to work against Windows 2000 Server (could not trigger the overflow at all).

-
漏洞信息

-
漏洞描述

A remote overflow exists in TFTP Server 2000. The application fails to perform proper bounds checking resulting in a buffer overflow. With a specially crafted request containing an overly long filename or transfer-mode string, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.

-
时间线

公开日期:
2005-05-31

发现日期:
2005-05-18

利用日期:2005-06-02

解决日期:Unknow

-
解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

-
受影响的程序版本

-
漏洞讨论

FutureSoft TFTP Server 2000 is affected by multiple remote vulnerabilities. Exploiting these issues can allow an attacker to retrieve arbitrary files and carry out buffer-overflow attacks.

The following specific issues were identified:

- Multiple buffer overflow vulnerabilities. A successful attack may allow the attacker to execute arbitrary code on a vulnerable computer and gain unauthorized access in the context of the server. A denial-of-service condition may arise as well.

- A directory-traversal vulnerability. A successful attack may allow the attacker to access arbitrary files (if the server has permissions to access the file).

These issues have been confirmed on TFTP Server 2000 Evaluation Version 1.0.0.1. Other versions may be affected as well.

-
漏洞利用

The following proof-of-concept examples are available:

A crafted packet with an overly long filename string. ------------------------------------------ |RRQ|AAAAAAAAAAAAAAAA....|NULL|octet|NULL| ------------------------------------------

A crafted packet with an overly long transfer-mode string. ------------------------------------------ |RRQ|a.txt|NULL|AAAAAAAAAAAAAAA.....|NULL| ------------------------------------------

tftp -i 192.168.2.5 GET ../../../../../boot.ini

A Metasploit proof-of-concept exploit is available from y0@w00t-shell.net:

Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.